[mcnaugha]

Did anyone ever solve this? I’m seeing the problem now as we’re moving all of our schools to 2008 R2. 10.6 and 10.7 work fine. 10.5.8 gets Kerberos ticket but seems unable to access the SMB service coming from the Windows servers. All Macs bound to AD. Kerberos working perfectly it seems.

[mcnaugha]

I’m afraid we got nothing from Apple, despite having an AppleCare support contract. It cost us £6,000 to get the data recovered.

We have since transitioned to Mac Pro (Early 2009) with RAID Card (2009). This new revision of the card has been much safer so far. We now have these deployed in many of our large sites. We’ve also opted for RAID 0+1 instead of RAID 5. The performance of RAID 5 with these cards was particularly poor. Performance with RAID 0+1 has been much more impressive. I’m actually hoping this choice proves safer for recovery too.

[mcnaugha]

Resolved this myself. It was because I ran changeip on an old system and changeip ran it on the new system over the network. Thanks Apple! (not!). Various entries in the db were pointing to the IP of the decommissioned server. Hence it couldn’t authenticate. I managed to rerun changeip on just the IP addresses and it repaired everything and all was well again.

[mcnaugha]

Did you solve this? I’m experiencing this today. I’m concerned it’s because changeip ran on the wrong directory. Otherwise I haven’t been able to explain this yet. I am able to edit LDAP using a java-based editor but Workgroup Manager refuses.

servermgrd errors report that servermgr_accounts got error 5203 trying to auth to local LDAP node

error 5203 seems to mean authentication server timed out

[mcnaugha]

HI Tycho,

Try adding all volumes to the Spotlight Privacy tab. Sounds like you’re experiencing the Spotlight bug present in 10.6-10.6.2.

Cheers.
A.

[mcnaugha]

I resolved this by using a simple process I had forgotten I discovered last August.

First, on the Master, run the following post-archive restoration:

sudo mkpassdb -kerberize

Then you need to demote the PDC on the Master back to Standalone. Don’t worry, unlike demoting the Open Directory, this won’t destroy anything. Then re-promote to PDC. This somehow re-sequences the Domain SID.

After the above my BDC capability on a new Replica was restored. 😀

[mcnaugha]

Did you get this error resolved? We’re now getting this after recovering from a disaster situation.

Our original Master died with no backup. The replica was promoted to Master and then we took an OD Archive out of it and transplanted that into a new Master. The we clean installed the replica and activated it as a replica. At first there was some sort of password error but then everything was ok. Switching to SMB to change to BDC results in an instant failure and the only evidence showing is that message you got above.

[mcnaugha]

I’ve seen this on a couple of sites now and I think it’s down to swupd not being able to utilise any web proxy settings set within Mac OS X.

This seems like a silly mistake by Apple… swupd should route through the proxies as defined in Network pane. So what can we do to get it to go out through this while we wait for Apple to fix this?

[mcnaugha]

I think the last reason there may be the strongest. We’re talking about approx. 300 OS X Servers. At the moment they all run their own independent ODM.

I have attempted to present the now traditional way of doing things, but he’s determined to at least research some potential solutions here.

Everything I’ve read on the web so far seems to indicate that people have attempted this and apparently given up at some point.

I will pass on your comments, give our enthusiastic Windows/Linux techs a chance to try something, and post again with the final outcome.

We have another major education district here that went completely AD and modified the schema to support MCX.

For this customer I suspect it will have to be complete move to magic/golden triangle or after October… the CoD (Cylinder Of Destiny)!

[mcnaugha]

Hey Joel and Josh,

Thanks for replying. I’m an ACT/ACSA and consulting engineer with many years of integration experience. I attended WWDC07 there and saw you guys. Great sessions. “Bending Directory Services to your will” was just the best wasn’t it? If only we had an official event from Apple like WWDC in Europe. I think they need to split the IT track into two though. One track for newbies and another for old hacks. PLUS… more promotion of Apple Training! So many people appeared hungry for the knowledge that can be provided by the Apple Training courses and yet no one promoted them at any session. Is that Steve up to his old anti-training tricks??? 😆

This is an advanced customer who does not want to switch to AD. He prefers to prove that the Apple technology is solid. He wants to leave the Mac servers with their own databases and merely sync accounts back to a central system. This is needed because of a new country-wide education network that is currently under construction. The aim is to have country-wide single accounts. At the moment it looks like AD will be the focus.

My IT colleagues have suggested MS’ Federated Identity stuff. [url]http://www.microsoft.com/windowsserver2003/technologies/idm/FederatedIdentity.mspx[/url] So we’re going to look at that and talk directly with MS about it. Had you seen this before?

This definitely seems like a hole in the market. If someone can produce a solution which will allow you to sync accounts back and forth then that could be a killer app. All we’d need is the accounts. MCX can continue to reside soley on the Mac server.

[mcnaugha]

Guess what… you just have to be patient. One system took ten minutes of sitting at “locating relocatable files” before proceeding with the rest of the update.

Both troubled servers now happily running 10.4.9.

[mcnaugha]

I hear myself saying “that’s great news”, meaning we are not alone… but it’s not really great that you’re also having the problem.

Do you have any Apple support channel you can escalate to? I’ve tried mine (Service Provider email support)… but so far radio silence.

I have also logged a bug with AppleSeed… however it may be too late to get anything done about it through this channel.

[mcnaugha]

That’s the only way I hadn’t tried. Here is the output – which occurs almost immediately:

installer: Cannot install on volume / because its disabled.
installer: You are attempting an unsupported installation. Please download and install the correct package.

This happens with both the Delta and Combo PPC updates. This is most definitely a PPC system.

Because 3 out of 4 of the packages contained in the Server updates ran successfully… I am testing directly with the OS package and not the others.

[mcnaugha]

Actually it seems these commands do clear the problem… but you need to reboot afterwards for it to take effect:

sudo kadmin.local -q ‘ktrem ldap/FQDN’
sudo kadmin.local -q ‘delprinc ldap/FQDN’
sudo kadmin.local -q ‘ank -randkey ldap/FQDN’
sudo kadmin.local -q ‘ktadd ldap/FQDN’

[mcnaugha]

This is actually a fix specified by Apple to help Active Directory plug-in login issues. It should really be specified for anyone having your issue.

What I think it happening is that the automount process is trying to do too many mounts at once from a server with multiple automounts. The -1 option simply tells it to do one at a time.

If you ask me… this fix should be rolled out into a general release. It is affecting a lot of people. I haven’t checked to see if 10.4.9 does it. Probably not though.

[Author]

Posts